( baseFetch: FetchLike, provider: ClaudeAuthProvider, )
| 1352 | * to the PKCE flow. See github.com/anthropics/claude-code/issues/28258. |
| 1353 | */ |
| 1354 | export function wrapFetchWithStepUpDetection( |
| 1355 | baseFetch: FetchLike, |
| 1356 | provider: ClaudeAuthProvider, |
| 1357 | ): FetchLike { |
| 1358 | return async (url, init) => { |
| 1359 | const response = await baseFetch(url, init) |
| 1360 | if (response.status === 403) { |
| 1361 | const wwwAuth = response.headers.get('WWW-Authenticate') |
| 1362 | if (wwwAuth?.includes('insufficient_scope')) { |
| 1363 | // Match both quoted and unquoted values (RFC 6750 §3 allows either). |
| 1364 | // Same pattern as the SDK's extractFieldFromWwwAuth. |
| 1365 | const match = wwwAuth.match(/scope=(?:"([^"]+)"|([^\s,]+))/) |
| 1366 | const scope = match?.[1] ?? match?.[2] |
| 1367 | if (scope) { |
| 1368 | provider.markStepUpPending(scope) |
| 1369 | } |
| 1370 | } |
| 1371 | } |
| 1372 | return response |
| 1373 | } |
| 1374 | } |
| 1375 | |
| 1376 | export class ClaudeAuthProvider implements OAuthClientProvider { |
| 1377 | private serverName: string |
no test coverage detected